Absence Makes the Heart Grow Fonder: New Directions for Implantable - - PowerPoint PPT Presentation

absence makes the heart grow fonder
SMART_READER_LITE
LIVE PREVIEW

Absence Makes the Heart Grow Fonder: New Directions for Implantable - - PowerPoint PPT Presentation

Jan 31, 2023 33 likes •256 views

Absence Makes the Heart Grow Fonder: New Directions for Implantable Medical Device Security Balancing Safety and Security Tamara Denning 1 , Tadayoshi Kohno 1 , Kevin Fu 2 1 University of Washington 2 University of Massachusetts at Amherst

slide-1
SLIDE 1

New Directions for Implantable Medical Device Security

Absence Makes the Heart Grow Fonder:

Tamara Denning1, Tadayoshi Kohno1, Kevin Fu2

1University of Washington 2University of Massachusetts at Amherst

http://www.secure-medicine.org

Balancing Safety and Security

slide-2
SLIDE 2

Implantable Medical Devices (IMDs)

Tamara Denning, University of Washington, HotSec 2008

 Pacemakers, Implantable Cardioverter Defibrillators (ICDs),

Drug Pumps, Neurostimulators

 Life-Supporting/Quality of Life  Devices Have Wireless Capabilities

7/29/2008 2

slide-3
SLIDE 3

Wireless ICD Attacks

Tamara Denning, University of Washington, HotSec 2008

 Obtain serial number, patient name, diagnosis  Turn off therapies  Induce cardiac fibrillation

7/29/2008 3

Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses [Halperin], Oakland „08

slide-4
SLIDE 4

Why Security? Malicious Attacks

Tamara Denning, University of Washington, HotSec 2008 7/29/2008 4

slide-5
SLIDE 5

Malicious Computer-Based Attacks

Tamara Denning, University of Washington, HotSec 2008 7/29/2008 5

slide-6
SLIDE 6

Current Security

 IMD does not keep list of authorized programmers  How about keeping a list and only allowing authorized

programmers?

7/29/2008 Tamara Denning, University of Washington, HotSec 2008 6

CLOSED ACCESS OPEN ACCESS

slide-7
SLIDE 7

Goals of IMD Security

7/29/2008 Tamara Denning, University of Washington, HotSec 2008 7

Y Y N

slide-8
SLIDE 8

Tensions of IMD Security

Tamara Denning, University of Washington, HotSec 2008

 Safety in the Common Case

 Timely access anywhere, anytime

 Security in the Adversarial Case

 Protect from unauthorized access

7/29/2008 8

CLOSED ACCESS OPEN ACCESS

slide-9
SLIDE 9

CLOSED ACCESS OPEN ACCESS

Insufficient Approaches

Tamara Denning, University of Washington, HotSec 2008

 Case-by-Case Access Credentials  User Alert  Require Close Proximity

7/29/2008 9

slide-10
SLIDE 10

CLOSED ACCESS OPEN ACCESS

Insufficient Approaches

Tamara Denning, University of Washington, HotSec 2008

 Case-by-Case Access Credentials  User Alert  Require Close Proximity

7/29/2008 10

slide-11
SLIDE 11

CLOSED ACCESS OPEN ACCESS

Insufficient Approaches

Tamara Denning, University of Washington, HotSec 2008

 Case-by-Case Access Credentials  User Alert  Require Close Proximity

7/29/2008 11

slide-12
SLIDE 12

What about encryption with a carried passkey?

7/29/2008 Tamara Denning, University of Washington, HotSec 2008 12

Y Y N

slide-13
SLIDE 13

What about encryption with a carried passkey?

7/29/2008 Tamara Denning, University of Washington, HotSec 2008 13

Y Y N N

slide-14
SLIDE 14

New Approach

7/29/2008 Tamara Denning, University of Washington, HotSec 2008 14

What if we REMOVE something to gain access? Communication Cloaker

slide-15
SLIDE 15

How it works

7/29/2008 Tamara Denning, University of Washington, HotSec 2008 15

N Y Y

slide-16
SLIDE 16

CLOSED ACCESS OPEN ACCESS

Communication Cloaker

Tamara Denning, University of Washington, HotSec 2008

 Present

 Allows Pre-Approved Programmers (common case)  Blocks Unauthorized Programmers (adversarial case)

 Absent

 Fails open…Allows All Programmers!

7/29/2008 16

slide-17
SLIDE 17

Assumptions

7/29/2008 Tamara Denning, University of Washington, HotSec 2008

 IMD Power is Limited – Use Cheap Cryptography  Cloaker Can be Recharged – Use Heavier Cryptography  IMD and Cloaker are Paired Long-term

17

slide-18
SLIDE 18

Challenges

7/29/2008 Tamara Denning, University of Washington, HotSec 2008 18

 How to handle IMD-Programmer communications?  How the IMD “knows” the Cloaker‟s presence?  What if the emergency staff can‟t locate the Cloaker?

slide-19
SLIDE 19

Challenges…Possible Answers

7/29/2008 Tamara Denning, University of Washington, HotSec 2008 19

 How to handle IMD-Programmer communications?

? Hand off symmetric key pair ? Proxy

 How the IMD “knows” the Cloaker‟s presence?

? IMD listens and queries oracle ? Keep-alives

 What if the emergency staff can‟t locate the Cloaker?

 Pulse sensor

slide-20
SLIDE 20

Preliminary Simulation

Tamara Denning, University of Washington, HotSec 2008

 14 Java classes  TCP sockets  Inputs alter system

 Selective DoS, jamming all wireless

 Manageable code size

7/29/2008 20

ModuleType Code Size Cloaker 179 IMD 115 Programmer 44 Other 294 Code Function Code Size I/O 124 Configuration 72 Communication 436

slide-21
SLIDE 21

Summary

Tamara Denning, University of Washington, HotSec 2008

 New Approach to IMD Security  Further Investigations:

 Passively-powered transceivers (WISPs)  Patient must wear Cloaker  Psychological Impact  What if the patient‟s wrist is trapped in a car?

7/29/2008 21

slide-22
SLIDE 22

Interesting Research Landscape!

Tamara Denning, University of Washington, HotSec 2008 7/29/2008 22

Safety (open access) Security (closed access) Auditability IMD Response Time Battery Life Storage Constraints Patient Usability Psychological Effects High Impact